DKIM (DomainKeys Identified Mail) is an email authentication standard, defined in RFC 6376, that lets a sending mail server cryptographically sign outgoing messages. The server generates a digital signature covering the message body and selected headers, then attaches it as a DKIM-Signature header. When the receiving server gets the message, it pulls the domain (d= tag) and selector (s= tag) from that header, looks up the public key at selector._domainkey.domain.com in DNS, and verifies the signature. A valid signature proves two things: the message came from a server holding the private key for that domain, and the signed content was not tampered with in transit. DKIM is one of the three pillars of email authentication alongside SPF (RFC 7208) and DMARC (RFC 7489). Proper DKIM configuration is also required for BIMI brand logo display in supporting email clients.

What is a DKIM selector?

A DKIM selector is a label that lets a domain publish multiple DKIM public keys at the same time, as defined in RFC 6376 Section 3.1. It forms the first part of the DNS lookup path: selector._domainkey.example.com. This is what makes key rotation seamless. You publish a new key under a new selector, update your mail server to sign with it, and only remove the old selector after in-transit messages have been delivered. No downtime, no failed verifications. Selector names vary by platform: Google Workspace uses "google", Microsoft 365 uses "selector1" and "selector2", Mailchimp uses "k1" and "k2", SendGrid uses "s1" and "s2". Date-based selectors like "202601" are common for manual rotation. To find your current selector, look at the s= tag in any DKIM-Signature header from a sent email.

What key size is recommended for DKIM?

RFC 8301 sets RSA 2048-bit as the minimum acceptable key size for DKIM. The old 1024-bit keys that used to be everywhere are now considered weak and vulnerable to factoring attacks. RSA 4096-bit gives excellent security but can exceed the 512-byte DNS UDP packet limit from RFC 1035, forcing TCP fallback and adding latency. The better modern choice is Ed25519 as defined in RFC 8463. It provides security equivalent to RSA 3072-bit with just a 256-bit key, resulting in much smaller DNS TXT records and faster verification. To check your current key strength, enter your domain and selector into this tool. If you are still on 1024-bit RSA, the upgrade path is straightforward: generate a 2048-bit key, publish it under a new selector, update your signing config, then remove the old key once in-flight messages clear.

What does the DKIM testing mode flag (t=y) mean?

The t=y flag in a DKIM DNS record signals testing mode, as specified in RFC 6376 Section 3.6.1. With this flag set, receiving mail servers should treat the domain as testing its DKIM deployment and not alter message handling based on verification results. In theory, a failed DKIM check with t=y should not cause rejection or spam classification. In practice, some receivers and spam filters still factor the result into their scoring anyway. Testing mode exists for initial deployment validation. It lets you confirm your mail server produces valid signatures before committing to production enforcement. Once messages are passing DKIM checks consistently (verify via DMARC aggregate reports or email headers), remove the t=y flag. Leaving it on indefinitely signals to receivers that you are not confident in your own setup, which is not the impression you want to give.

What is the difference between RSA and Ed25519 DKIM keys?

RSA is the original DKIM algorithm from RFC 4871 (2007), updated in RFC 6376. It relies on the difficulty of factoring large primes and needs at least 2048 bits for adequate security per RFC 8301. A 2048-bit RSA key produces about 340 characters of base64 in the DNS TXT record. Ed25519, added in RFC 8463, uses Curve25519 elliptic curve cryptography. It delivers security equivalent to RSA 3072-bit with just a 256-bit key. That means DNS records roughly one-third the size and noticeably faster signing and verification. The catch is compatibility. Some older mail servers and filtering appliances do not support Ed25519 verification yet. A practical migration strategy is dual-signing: publish both an RSA and Ed25519 key under separate selectors so legacy receivers still verify RSA while modern ones benefit from Ed25519.

How do DKIM and BIMI relate?

BIMI (Brand Indicators for Message Identification) lets organizations display their brand logo next to authenticated messages in Gmail, Apple Mail, Yahoo Mail, and Fastmail. Valid DKIM is a prerequisite because BIMI requires DMARC enforcement at p=quarantine or p=reject, and DMARC depends on SPF or DKIM alignment passing. In practice, DKIM is the more reliable path to BIMI qualification since SPF frequently breaks when messages get forwarded through intermediary servers. The BIMI record lives as a DNS TXT record at default._bimi.example.com with two tags: l= pointing to an SVG Tiny 1.2 logo file, and optionally a= pointing to a Verified Mark Certificate (VMC). Gmail specifically requires a VMC from DigiCert or Entrust, which involves trademark verification. This tool checks for BIMI records alongside DKIM validation so you can see the full picture.

How do I find my DKIM selector?

Your selector is set by your email service provider or mail server software. Each platform has its own defaults. Google Workspace uses "google". Microsoft 365 uses "selector1" and "selector2" with automatic rotation. Amazon SES generates unique selectors per region, usually random alphanumeric strings. Mailchimp uses "k1" and "k2", SendGrid uses "s1" and "s2". The quickest way to find yours is to send a test email to yourself and look at the full message headers. Find the DKIM-Signature header and check the s= tag. If it says s=google, your public key lives at google._domainkey.yourdomain.com. If you are not sure which selector to check, just use this tool without specifying one. It automatically probes over 30 common selectors from major email platforms to find active DKIM keys for your domain.

Can a domain have multiple DKIM keys?

Yes. RFC 6376 Section 3.1 explicitly supports multiple DKIM keys per domain through different selectors. Each selector maps to its own DNS TXT record at selector._domainkey.domain.com, and there is no practical limit on how many you can have. Multiple keys cover several real-world scenarios. Key rotation is the big one: deploy a new key under a fresh selector before revoking the old one, so no in-transit messages fail verification. Multi-service signing is another common case, where Google Workspace, Mailchimp, and SendGrid each sign with their own selector and key pair. Algorithm migration works the same way: run RSA 2048-bit and Ed25519 keys simultaneously during the transition period as described in RFC 8463. Microsoft 365 does this by default, maintaining selector1 and selector2 and rotating between them automatically.

DKIM Record Checker

Look up and validate DKIM signing records for any domain. Verify key type, key strength, testing mode, and check BIMI brand indicators.

Written by Ishan Karunaratne · Last reviewed: March 11, 2026

What Is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication protocol defined in RFC 6376. It allows a sending mail server to attach a cryptographic signature to outgoing messages. The signature is stored in a DKIM-Signature header and covers the message body and selected headers.

When a receiving mail server gets the message, it extracts the domain and selector from the DKIM-Signature header, queries DNS for the public key at selector._domainkey.domain.com, and verifies the signature. A valid signature confirms the message came from an authorized server and was not modified after signing.

DKIM is one of the three pillars of email authentication, alongside SPF and DMARC. DMARC policy enforcement requires either SPF or DKIM alignment to pass. Without valid DKIM, your domain is vulnerable to email spoofing and phishing attacks.

How Does DKIM Signing Work?

Sender signs the message

The sending mail server computes a hash of the message body and selected headers, then encrypts it with the private key. The result is added as a DKIM-Signature header.

Receiver looks up the public key

The receiving server extracts the d= (domain) and s= (selector) tags from the DKIM-Signature header, then queries DNS for the TXT record at selector._domainkey.domain.com.

Signature is verified

The receiver decrypts the signature using the public key and compares it to its own hash of the message. If they match, the message is authentic and unmodified.

The DKIM DNS record contains structured tags per RFC 6376 Section 3.6.1. The p= tag holds the base64-encoded public key, the k= tag specifies the algorithm (rsa or ed25519), and the optional t=y flag marks the record as being in testing mode.

What Key Sizes Are Recommended for DKIM?

RFC 8301 (Cryptographic Algorithm and Key Usage Update to DKIM) establishes RSA 2048-bit as the minimum recommended key size. Keys smaller than this are vulnerable to factoring attacks. RFC 8463 adds Ed25519 as a modern alternative with superior security-per-bit ratio.

512-bit RSACritical

Factored in minutes with commodity hardware. Replace immediately.

1024-bit RSAWeak

Below RFC 8301 minimum. Vulnerable to well-resourced attackers.

2048-bit RSAAdequate

Current minimum per RFC 8301. Standard recommendation.

4096-bit RSAStrong

Very strong. May require DNS TCP fallback (exceeds 512-byte UDP limit).

Ed25519Strong

RFC 8463 — equivalent to RSA 3072-bit. Compact key, fast verification.

What Are Common DKIM Selectors?

Each email platform uses its own default DKIM selector. This tool auto-probes common selectors when you search without specifying one.

Google Workspace

google

Microsoft 365

selector1, selector2

Amazon SES

s1, s2 (varies)

Mailchimp

k1, k2

SendGrid

s1, s2

Proofpoint

proofpoint (varies)

Which RFCs Define DKIM?

RFC 6376

DomainKeys Identified Mail (DKIM) Signatures

The core DKIM specification. Defines the DKIM-Signature header, key record format (Section 3.6.1), signing algorithm, and verification process.

RFC 8301

Cryptographic Algorithm and Key Usage Update to DKIM

Updates RFC 6376 with modern cryptographic requirements. Mandates RSA 2048-bit minimum and deprecates SHA-1 hashing.

RFC 8463

A New Cryptographic Signature Method for DKIM

Adds Ed25519-SHA256 as a DKIM signing algorithm. Provides equivalent security to RSA 3072-bit with a 256-bit key.

RFC 8617

Authenticated Received Chain (ARC)

Extends DKIM for message forwarding scenarios. Preserves authentication results across intermediate mail servers.

What Are BIMI Brand Indicators?

BIMI (Brand Indicators for Message Identification) allows brands to display their logo in email client inboxes next to authenticated messages. Gmail, Apple Mail, Yahoo Mail, and Fastmail all support BIMI.

The BIMI record is a TXT record at default._bimi.example.com containing a URL to an SVG Tiny 1.2 logo file. For Gmail, a Verified Mark Certificate (VMC) from DigiCert or Entrust is also required. The logo must be a square SVG Tiny 1.2 file. This tool checks for your BIMI record, validates the logo URL, and reports VMC presence.

What Other Email Tools Help With Authentication?

DKIM is one part of a complete email authentication setup. For full coverage, check your other email DNS records:

•SPF Checker — Validate which mail servers are authorized to send email (RFC 7208)
•DMARC Checker — Analyze your email policy, alignment mode, and reporting (RFC 7489)
•MX Lookup — Find mail servers for a domain and detect email providers (RFC 5321)
•SMTP Diagnostics — Test mail server connectivity, TLS support, and open relay status

Frequently Asked Questions

What Is DKIM?

How Does DKIM Signing Work?

Sender signs the message

The sending mail server computes a hash of the message body and selected headers, then encrypts it with the private key. The result is added as a DKIM-Signature header.

Receiver looks up the public key

The receiving server extracts the d= (domain) and s= (selector) tags from the DKIM-Signature header, then queries DNS for the TXT record at selector._domainkey.domain.com.

Signature is verified

The receiver decrypts the signature using the public key and compares it to its own hash of the message. If they match, the message is authentic and unmodified.

What Key Sizes Are Recommended for DKIM?

512-bit RSACritical

Factored in minutes with commodity hardware. Replace immediately.

1024-bit RSAWeak

Below RFC 8301 minimum. Vulnerable to well-resourced attackers.

2048-bit RSAAdequate

Current minimum per RFC 8301. Standard recommendation.

4096-bit RSAStrong

Very strong. May require DNS TCP fallback (exceeds 512-byte UDP limit).

Ed25519Strong

RFC 8463 — equivalent to RSA 3072-bit. Compact key, fast verification.

Which RFCs Define DKIM?

RFC 6376

DomainKeys Identified Mail (DKIM) Signatures

The core DKIM specification. Defines the DKIM-Signature header, key record format (Section 3.6.1), signing algorithm, and verification process.

RFC 8301

Cryptographic Algorithm and Key Usage Update to DKIM

Updates RFC 6376 with modern cryptographic requirements. Mandates RSA 2048-bit minimum and deprecates SHA-1 hashing.

RFC 8463

A New Cryptographic Signature Method for DKIM

Adds Ed25519-SHA256 as a DKIM signing algorithm. Provides equivalent security to RSA 3072-bit with a 256-bit key.

RFC 8617

Authenticated Received Chain (ARC)

Extends DKIM for message forwarding scenarios. Preserves authentication results across intermediate mail servers.

What Are BIMI Brand Indicators?

What Other Email Tools Help With Authentication?

DKIM is one part of a complete email authentication setup. For full coverage, check your other email DNS records:

•SPF Checker — Validate which mail servers are authorized to send email (RFC 7208)
•DMARC Checker — Analyze your email policy, alignment mode, and reporting (RFC 7489)
•MX Lookup — Find mail servers for a domain and detect email providers (RFC 5321)
•SMTP Diagnostics — Test mail server connectivity, TLS support, and open relay status

DKIM Record Checker

What Is DKIM?

How Does DKIM Signing Work?

What Key Sizes Are Recommended for DKIM?

What Are Common DKIM Selectors?

Which RFCs Define DKIM?

What Are BIMI Brand Indicators?

What Other Email Tools Help With Authentication?

Frequently Asked Questions

What is DKIM?

What is a DKIM selector?

What key size is recommended for DKIM?

What does the DKIM testing mode flag (t=y) mean?

What is the difference between RSA and Ed25519 DKIM keys?

How do DKIM and BIMI relate?

How do I find my DKIM selector?

Can a domain have multiple DKIM keys?

DKIM Record Checker

What Is DKIM?

How Does DKIM Signing Work?

What Key Sizes Are Recommended for DKIM?

What Are Common DKIM Selectors?

Which RFCs Define DKIM?

What Are BIMI Brand Indicators?

What Other Email Tools Help With Authentication?

Frequently Asked Questions

What is DKIM?

What is a DKIM selector?

What key size is recommended for DKIM?

What does the DKIM testing mode flag (t=y) mean?

What is the difference between RSA and Ed25519 DKIM keys?

How do DKIM and BIMI relate?

How do I find my DKIM selector?

Can a domain have multiple DKIM keys?